The Center for Democracy and Technology has released a memo (PDF) on the economic costs, technical complications, and privacy implications of a data retention mandate. Data retention mandates would force Internet companies such as ISPs to keep records on their historical assignment of IP addresses and make that and other customer data available to law enforcement. CDT’s memo points out the technical issues surrounding IP address assignment, noting that there are a multitude of situations in which IP addresses are shared (such as in coffee shops, work places, and airports) and that they can’t reliably identify an end user. We couldn’t agree more. They also rightly note that "a data retention mandate would require the collection and management of vastly larger quantities of data than seemed necessary even a few years ago, at costs that could be prohibitive, especially for smaller and rural service providers, while yielding data less reliable in identifying end-user devices."

This memo couldn’t come at a better time. Congress is currently considering misguided data retention legislation that could compromise user privacy and burden ISPs. Learn more about the privacy issues surrounding data retention mandates by visiting EFF’s issue page. You should also use the EFF action center to send a letter to Congress telling them not to force Internet companies to spy on users.

Smart Meter Hacking for Privacy

On day four of the 28th Annual Chaos Communication Congress, Smart Hacking for Privacy explored the privacy-intrusive potential of smart meter technology. EFF has articulated the privacy concerns around smart meters – including how this technology can be used to monitor what appliances a consumer uses in the home and exactly when she uses them. According to Network World, Smart Hacking for Privacy went a step further and showed that under certain circumstances, researchers could use smart meters to "determine devices like how many PCs or LCD TVs [were] in a home, what TV program was being watched, and if a DVD movie being played had copyright-protected material." This builds off of research (PDF) by a team at the University of Washington on the electromagnetic interference (EMI) signatures produced by televisions. Smart Hacking for Privacy also demonstrated how smart meters could be hacked so that the readings were incorrect. The entire presentation is available on YouTube.

German Police Using Hundreds of Thousands of “Silent” SMS Messages for Tracking Suspects

The 28th Annual Chaos Communications Congress also featured a presentation from researcher Karsten Nohl on Defending Mobile Phones (click for full YouTube presentation). As both Tomsguide and FSecure pointed out, one of the most interesting facts discussed in the presentation was that German law enforcement was relying on "silent SMS" technology for tracking suspects. SMS is the protocol by which standard text messages are delivered to your cell phone; a “silent” SMS message would deliver a "message" to the phone without the user being aware. In other words, the user wouldn’t see a text message; she wouldn’t see any notice at all on her phone. That "silent" SMS interaction, in turn, leads to the creation of a log with the cell phone company that reveals what cell phone towers the phone was closest to when the SMS was received. German law enforcement apparently likes this technique so much they pinged cell phones with silent SMS over 440,000 times in 2010.

This isn’t the first time we’ve known law enforcement to invisibly ping a mobile phone to hone in on the phone’s location without the user being aware. In United States v. Forest, the police used a similar technique using "silent" telephone calls to generate cell site logs with the provider where there otherwise wouldn’t be any, providing more frequent location fixes to help with tracking.

As this story demonstrates, the cell tower network can provide detailed data about a user’s daily movements based not just on your phone calls but on other communications activities as well. Last year, for example, Malte Spitz demonstrated the precision and breadth of data collected through cell phone tracking when he forced his cell phone carrier to hand over the records they had on him. Those records revealed that the carrier had collected over 35,831 data points about his location - not only his location during phone calls but also when he sent or received SMS messages or used the Internet – in a mere 6 months.

Related Updates

Lt. Gen. Paul Nakasone, the new nominee to direct the NSA, faced questions Thursday from the Senate Select Committee on Intelligence about how he would lead the spy agency. One committee member, Senator Ron Wyden (D-OR), asked the nominee if he and his agency could avoid the mistakes of...

It’s Argentina's turn to take a closer look at the practices of their local Internet Service Providers, and how they treat their customers’ personal data when the government comes knocking. Argentina's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of Asociación por los Derechos Civiles and the...

It’s Argentina's turn to take a closer look at the practices of their local Internet Service Providers, and how they treat their customers’ personal data when the government comes knocking. Argentina's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of Asociación por los Derechos Civiles and the...

There’s a new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy. It is built into a dangerous bill called the CLOUD Act, which would allow police at home and abroad to seize cross-border data without following the privacy rules where the data is...

EFF and 23 other civil liberties organizations sent a letter to Congress urging Members and Senators to oppose the CLOUD Act and any efforts to attach it to other legislation. The CLOUD Act (S. 2383 and H.R. 4943) is a dangerous bill that would tear away global privacy...

The Supreme Court of India has commenced final hearings in the long-standing challenge to India's massive biometric identity apparatus, Aadhaar. Following last August’s ruling in the Puttaswamy case rejecting the Attorney General's contention that privacy was not a fundamental right, a five-judge bench is now weighing in on...

We need to talk about national security secrecy. Right now, there are two memos on everyone’s mind, each with its own version of reality. But the memos are just one piece. How the memos came to be—and why they continue to roil the waters in Congress—is more important. On January...

Today Google launched a new version of its Chrome browser with what they call an "ad filter"—which means that it sometimes blocks ads but is not an "ad blocker." EFF welcomes the elimination of the worst ad formats. But Google's approach here is a band-aid response to the crisis of...

The U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) Privacy Office, and Office of Field Operations recently invited privacy stakeholders—including EFF and the ACLU of Northern California—to participate in a briefing and update on how the CBP is implementing its Biometric Entry/Exit Program.
As we’ve written ...